The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. The DNS associates information with domain names assigned to each of the participating entities. Most prominently, it translates domain names, which can be easily memorized by humans, to the numerical IP addresses needed for the purpose of computer services and devices worldwide. The DNS is an essential component of the functionality of most Internet services because it is the Internet's primary directory service.
The DNS distributes the responsibility of assigning domain names and mapping those names to Internet Protocol (IP) addresses by designating authoritative name servers for each domain. Authoritative name servers are assigned to be responsible for their supported domains, and may delegate authority over sub-domains to other name servers. This mechanism provides distributed and fault tolerant service and was designed to avoid the need for a single central database.
The DNS also specifies the technical functionality of the database service which is at its core. It defines the DNS protocol, a detailed specification of the data structures and data communication exchanges used in DNS, as part of the Internet Protocol Suite. The DNS has been in wide use since the 1980s.
The DNS maintains the domain name hierarchy and provides translation services between the domain name hierarchy and the IP address spaces. Internet name servers and a communication protocol implement the DNS. A DNS name server is a server that stores the DNS resource records for a domain name; a DNS name server responds with answers to queries against its database.
The most common types of resource records stored in the DNS database are for DNS zone authority (SOA), IP addresses (A and AAAA), Simple Mail Transport Protocol (SMTP) mail exchangers (MX), name servers (NS), pointers for reverse DNS lookups (PTR), and domain name aliases (CNAME). Although not intended to be a general purpose database, DNS can store resource records for other types of data for either automatic machine lookups or for human queries such as responsible person (RP) records.
Originally, security concerns were not major design considerations for DNS software or any software for deployment on the early Internet, as the network was not open for participation by the general public. However, the expansion of the Internet into the commercial sector in the 1990s changed the requirements for security measures to protect data integrity and user authentication.
Several vulnerability issues were discovered and exploited by malicious users. One such issue is DNS cache poisoning, in which data is distributed to caching resolvers under the pretense of being an authoritative origin server, thereby polluting the data store with potentially false information and long expiration times (time-to-live). Subsequently, legitimate application requests may be redirected to network hosts operated with malicious intent.
DNS responses are traditionally not cryptographically signed, leading to many attack possibilities. The Domain Name System Security Extensions (DNSSEC) modify the DNS to add support for cryptographically signed responses. Other extensions have been proposed as an alternative to DNSSEC. Other extensions add support for cryptographic authentication between trusted peers and are commonly used to authorize zone transfer or dynamic update operations. DNSSEC incorporates digital signatures into the DNS hierarchy, with each level owning its own signature generating keys. Thus, each organization in the DNS hierarchy must sign the key of the one below it. During validation, DNSSEC follows this “chain of trust” up to the root, automatically validating “child” keys with “parent” keys along the way.